LGA - Local Government Association

09/13/2023 | Press release | Distributed by Public on 09/13/2023 03:24

Building a Cyber Resilient Service: A Guide for Directors of Children’s Services

About this guide

Welcome to our guide on Building a Cyber Resilient Service: A Guide for Directors of Children's Services. This document aims to support Directors to develop protective strategies and capabilities to enhance the cyber resilience of their service; some recommendations are technical, some organisational and some are about people. We discuss these protective strategies, how they work together, and what to do, and what not to do, so Directors can create a positive culture surrounding cyber security in their team. The document is intended to get Directors thinking about the intricacies of cyber security in the context of delivering children's services. It does not seek to produce a single, set blueprint. Due to the ever-changing nature of cyber threats, Directors and their senior teams should regularly review their cyber security practices and policies, while also looking at their capacity and capabilities to deal with them.

Summary

This document aims to support Directors of Children's Services (DCS) and their senior team, looking to build the cyber defences of their service and enhance their cyber resilience in order to reduce the likelihood of a cyber attack and its impact if and when an incident takes place. It will help you consider the risks to your service, the things you want to protect and the harms you most want to avoid.

Introduction

Cyber security poses a major risk for councils. At least 11 million attacks on UK councils occurred in 2022, with over 10,000 attacks every day (Gallagher).[1] If, or when, a cyber attack hits your council, it could cause significant disruption. An attack on critical systems could damage the council's reputation and finances, and have a significant impact on its ability to deliver on its priorities and comply with service legal requirements. What is your service doing to reduce cyber risk - to lessen the probability and severity of an attack? Is cyber security something you think about?

This guide for Directors of Children's Services offers a set of cyber security steps to consider:

  • Step 1: Be clear on what cyber security means
  • Step 2: Be clear on your cyber security role
  • Step 3: Be clear on the cyber risk to your service
  • Step 4: Be clear in the likelihood of an attack and by whom
  • Step 5: Be clear on why your service may be a target
  • Step 6: Be clear on the impact of a cyber attack
  • Step 7: Be clear on ways to mitigate cyber risks
  • Step 8: Be clear on ways to respond and recover

Step 1: Be clear on what cyber security means

The National Cyber Security Centre (NCSC) is an organisation of the UK Government that provides advice and support for the public and private sector in how to avoid computer security threats. It defines cyber security as: [2]

How individuals and organisations reduce the risk of cyber attack. Cyber security's core function is to protect the devices we all use (smartphones, laptops, tablets, and computers), and the services we access - both online and at work - from theft or damage. It's also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

Good cyber security practices are important for individuals and organisations. The responsibility for cyber security will sit at a corporate level, but ultimately is the responsibility of each service to protect their assets and critical services. Your service will be underpinned by data and technology, and that technology is evolving at speed. These changes create benefits and opportunities - however, there is also an increased risk in terms of the potential for cyber attacks.[3] You will need to ensure robust cyber security to safeguard data, infrastructure and service delivery.

Step 2: Be clear on your cyber security role

Consider cyber security alongside your statutory role in providing '…a clear and unambiguous line of political and professional accountability for children's wellbeing.'[4] You are accountable for ensuring that the welfare of children in your council area is across everything you deliver, alongside the Lead Member for Children's Services and the Chief Executive[5]. It is your role to ensure clear and effective arrangements are in place to protect children and young people from harm - including harm caused by the loss or misuse of data about them and their families stored on your computer networks.[6]

When discussing cyber risks, the conversation tends to focus on the role of the IT department. IT teams are there to support the whole workforce, and though they do have a role to play, it is the responsibility of you and your senior team to understand cyber vulnerabilities and threats to your service. A cyber attack can and will affect all areas of the council, and it is essential to prepare.

Step 3: Be clear on the cyber risk to your service

Cyber security will now be included as part of the corporate risk assessment, and should be treated as any another business risk, the sort of risk you manage on a daily basis. A fundamental aspect of a cyber risk assessment is to understand the likelihood that your organisation will be attacked, by whom, and for what purposes. This assessment will help you to be realistic about the cyber risks to your service and to understand how to mitigate them. For this to happen, you need to identify the key elements of high value in your service's computer networks that, if attacked, would largely disrupt your ability to serve and protect children and young people.

  • Service operation and delivery relies on digitised information. The "digital space" contains the most crucial business assets.
  • Vital life and limb services to the community now depend on information and communications technologies.
  • Councils continue to evolve the digitisation of their public services and interact in new ways with their workforce and citizens online.
  • COVID-19 has encouraged greater reliance on the internet and cloud services, changing the landscape further.

The more systems used as part of your service, the more potential there is for vulnerabilities to be exposed, especially due to the commonly used practice of data linking. Vulnerabilities, or potential weaknesses in the cyber security of systems may be shared online as they are disclosed, and in some cases may fall into the hands of potential attackers who wish to exploit these vulnerabilities. Therefore, it is essential that security updates are run on all systems with access to the internet as often as possible, and a good vulnerability management process will help you understand which ones are most serious and need addressing first.[7]

There may also be high turnover of staff in your increasingly busy service area. With a large amount of joiners, movers and leavers, this creates further vulnerabilities as responsibilities, management and accesses change often. It will be important to have robust processes in place to manage this.

Step 4: Be clear in the likelihood of an attack and by whom

Robert Mueller, Former Director of the FBI, is on record as saying: [8]

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

The UK government has identified ransomware attacks as the most significant cyber threat facing the country; with this type of attack is increasing as criminals develop new techniques to circumvent cyber defences, including a focus on targeting the users of technology, as well as the technology itself.[9]

Step 5: Be clear on why your service may be a target

Consider the three categories of harm caused by a cyber attack; getting robbed (stealing cash, data or intellectual property), getting weakened (espionage, political interference or prepositioning) and getting hurt (ransomware and destructive or catastrophic attacks).[10] Which of these motivations is most relevant to a children's services team? What do you have that makes your vulnerable? Is data theft at the top of this list; personally identifiable information about the children your service is responsible for safeguarding? All councils own and safeguard digital data of interest to malicious actors, making them a target.[11]

Children's services, and teams within this directorate, are supported by a huge amount of data. This amount of sensitive data makes your service vulnerable to cyber attacks as this data may be considered valuable to malicious actors. Attackers may be looking to extort data for resale on the Deep Web, or alternatively may understand how crucial this data is for life and limb services to continue to run and the impact extortion may have. Cyber security is vital to ensure that this golden record data is secure and cannot be obtained or manipulated. It also sets out to minimise the risk to disruption that can be caused by attackers. For example, your service will hold data on children looked after, child protection, special educational needs and disability, pupil attainment, children's health, and post-16 circumstances and judgements from Ofsted. Further datasets are included in Figure 1.

Figure 1: Commonly-held children's services data

  • Personal details - Names, addresses, gender, dates of birth, and contact details for the child and their parents or carers.
  • Contact details - Name and contact details of any person with parental responsibility, or who has care of a child at any time.[12]
  • Education data - Unique Pupil Number (UPN), details of any education being received by a child, including the name and contact details of any educational institution they attended.
  • Health data - NHS number, name and contact details of any person providing primary medical services in relation to a child.[13]
  • Social care data - Child- level data, information[14] about any safeguarding concerns, child protection plans, and any involvement with children's social care services.
  • Early years data - Information about a child's development and progress in early years settings such as nurseries or childminders.
  • Youth services data - Information about a child's participation in youth services and any support they receive.
  • Adoption and fostering data - Information about children who have been adopted or placed in foster care, as well as information about prospective adoptive or foster parents.
  • Legal data - Information about any court orders or legal proceedings related to the child.

Step 6: Be clear on the impact of a cyber attack

In 2020, Hackney Council were the victim of an extremely disruptive ransomware attack which affected all systems and services. 'Among the hundreds of services Hackney Council provides are social and children's care, waste collection, benefits payments to people in need of financial support, and public housing. Many of these services are run using in-house technical systems and services'[15] which meant these critical services were unable to operate. Two years after the initial incident, they were still in recovery mode, with some IT systems still in the process of remediation, whilst some data was completely lost. The attack cost the council approximately £12 million.

In March 2023, Capita, an organisation which runs crucial services for many local councils, the military, and the NHS, were the victim of a cyber attack, which caused a significant IT outage. Following this attack, it was found that Capita had been storing client data in an unsecured AWS bucket. Colchester City Council, Coventry City Council, Adur and Worthing, Rochford District Council, Derby City Council, and South Staffordshire were amongst the organisations affected by the attack, which exposed potentially sensitive data and caused some services to come to a halt. The attack garnered much media attention and exposed the supply chain risk experienced by all councils. Reputational damage and resident concern was a signification issue - Tom Willis, interim Director of Resources said in a statement: [16]

We take very seriously our commitment to safeguarding the privacy and security of our residents' personal information. We know this will cause concern to residents and we want to apologize to those affected on behalf of Capita. We will be working with Capita to review the company's processes and ensure the avoidance of any further breaches.

Figure 2: Example of service impact

During a cyber attack you may have no access to the internet or your networks within which documents are stored. You need to consider how the loss of internet access might affect your critical services, and how you could keep them running - you may need alternative manual processes in place to keep a skeleton service operational.

Working with IT support prior to an incident to prioritise the systems to be recovered will assist them with their workload and allocation of resources. Similarly, identify where processes are dependent on other internal and external systems being available. Simply restoring one system in isolation may not be sufficient to allow a service to start operating after an attack.

Always work in partnership with your IT team if you are making any changes to your service. This could include new information sharing agreements, procuring new systems, or changes to processes. Cyber security and IT implications should be factored into all these decisions.

For further guidance on effective cross working with IT, please read Must Know: Children's services guide to effective cross- council working.

Things to consider:

  1. Which services operated by your team rely on internet access?
  2. Which of these services is prioritized to get back online first?

Create offline records and plans for use during an attack and ensure all teams have access to them.

Figure 3: Example of financial impact

If a cyber attack was to impact your team's services, it could affect the financial systems that you operate. For example, if the system responsible for foster carer payments or direct payments was unavailable, you may not be able to make payments on time.

Things to consider:

  1. Does your team have an offline record of payments to be made?
  2. How would you ensure carers, benefit receivers and other payees receive their payments regularly, if the payment system was unavailable?
  3. What additional safeguarding concerns would be created if vulnerable families had not received essential payments?

Discussing these risks with the finance team and ensuring this is included in both yours and their continuity plans is essential.

Figure 4: Example of data impact

The Child Protection Information Sharing (CPIS) integrations with the NHS should also be considered as this provides the NHS with vital information about vulnerable children.

Areas to consider:

  1. Are offline records available for use during a cyber attack?
  2. If you were unable to share this data due to a cyber attack at your authority or at the NHS, how could you continue to share this information securely to protect the most vulnerable children?

Discussing these risks with your IT service and the NHS' IT service will ensure there is a robust back up system in place.

Step 7: Be clear on ways to mitigate cyber risks

Cyber risks cannot be completely eradicated, but risks can be significantly minimised through planning for such an event, as well as the creation of an informed and empowered cyber security culture in your team. Your role is to consider ways to improve the management of information and data in your service to ensure the safety and wellbeing of children and young people. For example, managing the technical specifications and security or your databases. Here are some considerations for mitigating the risks posed to information and data within children's services:

Table 1: Storing data

Theme Context Areas to consider
Databases

As your service becomes more digital, systems will need to move online. Examples of these systems include Mosaic, Liquid Logic, Python, and more. To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates.

The widescale practice of data linking will be a particular vulnerability for your service.

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?

How is the golden record protected against data linking vulnerabilities.

Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks.

Does all hardware support updated systems?

How often does staff training take place?

Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Are staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete downloaded data from their desktop?

Backups Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?

Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

Table 2: Managing data

Theme Context Areas to consider
Handling sensitive data Due to the nature of the work your service delivers, you will be handling sensitive data on a day-to-day basis, both electronically and physically. Your team must take extra precautions to protect the sensitive information outlined above

Are you aware of all the sensitive data your service holds?

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?

Access controls To ensure this sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting children's data.

How is sensitive information stored in your service?

How is it protected?

Who has access to data storage systems?

How often does your team review accesses?

How often does training take place?

How often are passwords changed?

Is multi-factor authentication in use across programmes?

Regular audits Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards, e.g. ensuring data is only held for a relevant amount of time or is stored in the correct system. Keep track of any changes in data protection laws and update practices accordingly.

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have take place?

Data protection regulations In the UK, we operate within legal regulations for data management, mainly General Data Protection Regulation (GDPR). It is your obligation to ensure that your team complies with these data protection regulations to protect children's personal data and ensure that the personal data of children and their families is collected, processed, and stored lawfully, fairly, and securely.

Are your team aware of GDPR regulations and how they affect your work?

How often does staff training take place?

Record keeping Accurate and up-to-date record keeping is essential in children's services to ensure that important information about children and their families is available when needed. Records should be kept securely and in accordance with relevant legislation, and regular audits should be carried out to ensure the accuracy and completeness of the records.[17]

How often do your team update records?

How are records stored and updated?

Risk management Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of children's data.[18]These risks should be added to the corporate risk register and raised to SMT.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

Table 3: Sharing data

Theme Context Areas to consider
Collaboration and safeguarding

Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote the welfare of children.[19]

However, information sharing must be done in accordance with relevant legislation, such as the Children Act 2004, and must ensure that the privacy and confidentiality of the children and their families is maintained.

Effective information governance practices, such as assigning responsibility for data management, providing training on data protection and confidentiality, and implementing secure IT systems and procedures, are essential to ensure that data is managed securely and appropriately.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that information is being shared safely by members of your team?

Child-level data You may be asked to share child-level information as part of an inspection of local authority children's services (ILACS). Ofsted provides guidance for correct and secure sharing of this data set.

Are your team aware of the sort of data they may be asked to share with Ofsted?

How do you gain assurance this is being handled correctly?

Consent As set out in the Data Protection Act 2018, you do not need to seek consent before collecting, processing, or sharing information regarding children who may be at risk. It is, however, considered to be good practice to inform a parent or carer when sharing data.

Are all staff aware of consent regulations?

Are your team clear on when they need to gain consent for sharing data?

Offline records When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. You will need to have a robust and prearranged process in place for sharing information securely, so nothing is shared inadvertently. In addition to this, most IT systems will have a process in place for restricting sensitive records (like post adoption records or children who are related to staff members) but if you are working offline then you'll need to consider additional security measures for these cases.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

For more information about secure data management and security, please read Working Together to Safeguard Children 2018.

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by councillors and staff.

Does your team speak openly and regularly about cyber security and risk?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy?

Awareness Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?

Training Cyber security training should be refreshed regularly. As a DCS you'll be aware of the high demands on the staff within Children's services, however this training must be prioritised to reduce the risk of a cyber-attack as human error caused 90% of cyber data breaches in 2019, according to analysis of data from the UK Information Commissioner's Office (ICO) carried out by CybSafe.

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a communication strategy in place to report data breaches to the affected families?

What impact would a data breach have on your team's safeguarding and GDPR practices?

Workforce A large amount of agency staff may be being used by your service and in the supply chain. How can you integrate cyber secure practices into this temporary and externally managed workforce?

Table 5: Supply chain management

Theme Context Areas to consider
Co-ownership Procurement practices should be co-owned by IT, procurement and Children's Services, which will ensure that products are understood from a business and technical perspective.

Do members of your team work closely with other teams during the procurement process?

What barriers are in place during this process?

What needs to change in order to streamline this process?

Procurement Your service should take steps to ensure that external providers are subject to rigorous procurement processes that assess their security controls and measures. This may include assessing their security policies, performing security audits, and ensuring that they comply with relevant security standards and regulations.

Does your service consider cyber security during the procurement process?

How do you seek assurance that this has taken place?

Contract management Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

Does your service include cyber security requirements within contracts?

How is this measured?

Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable?

How would you work with partner organisations if they were experiencing a cyber attack themselves?

Step 8: Be clear on ways to respond and recover

As Director of Children's Services, you should identify the ways in which your service would respond to and recover from an incident or unplanned disruption. You will likely already be feeding into a Business Continuity Plan (BCP) on a corporate level, and using the risk areas above, your service, informed by the team within it, should be able to create a BCP that is fit for purpose during a cyber attack. Although it is impossible to completely prevent a cyber attack, your service can plan to ensure that the impact is at a minimum.

Having a robust, tailored, BCP for each service is essential when considering cyber security. If your council was the victim of a cyber attack, then the first step of your IT service is likely to take down all IT services and disable access to any systems while they identify the cause and impact of the problem. The team would then be focussing their effort on preventing further damage recovering systems, restoring backups, managing access and so on. During this time, there would likely be no access to IT services.

Therefore, your service must have a clear plan around how you would cope with no IT access for a significant period; sometimes stretching to weeks or even months.

Update your business continuity plan to make sure this covers cyber security and addresses the areas raised in the guide above. Encourage team members to regularly consider how they could continue to provide essential services for vulnerable children if your recording systems were unavailable, or all IT access was suspended. Ensure this document is regularly updated, circulated to all key parties and accessible offline.

Communication

If your service is the victim of a cyber attack, it's important to think about how you communicate with external stakeholders, residents, and other teams who may also be affected. If a cyber-attack prevented you from accessing your usual communication methods (emails, Teams, and so on) you will need a backup communication plan so you can provide updates to your staff and external partners. This may be through a WhatsApp group, posts on social media or phone calls to essential partners. It's important that the contact details are regularly updated and stored offline so they can be accessed quickly. Reviewing this plan with the communications team will ensure there is a consistent approach across the council and reduce the pressure on the IT service to provide updates whilst managing a cyber incident.

Areas to consider:

  • Do all staff understand how to report a cyber attack, and to whom?
  • How will staff communicate without access to the internet?
  • Is there a communications plan in place to help with response to media requests or questions from residents?
  • Do you know who to report a cyber attack to, e.g. NCSC, LGA, police etc.?

Staff

During a cyber attack there may be an increased level of stress and responsibility on staff due to increased workload and pressure from residents.[20] It is crucial to make sure there are systems in place to support staff through this time.

Areas to consider:

  • Do all staff understand their roles and responsibilities during a potential cyber attack?
  • What offline communication methods are in place to ensure all staff can speak during this period?
  • What actions do you take to ensure there is a positive cyber security culture in your service?

Safeguarding

Often out of hours social care support teams are based at other sites/part of another authority and cover multiple areas, so you need to think about both the risk of your authority being subject to a cyber attack but also the implications if their site was attacked.

Other areas to think about are how key papers would be presented to court if you did not have access to your case recording system, how would you manage new referrals and how would you ensure staff safety as you may not be able to see case warnings like 'do not visit alone', 'do not share this information with…'.

Areas to consider:

  • If the out of hours service were unable to access your case recording system, how would they be able to check if a child is subject to a CP plan, with a foster carer, visits should be carried out in pairs, and so on?

Conclusion

Cyber security is a constantly evolving threat. It's impossible to fully prevent and protect your organisation from every type of attack. Your IT team should have robust processes in place to prevent as many attacks as possible, but it's important for every member of your children's services to take a proactive approach to cyber security.

During user research, an interviewee described IT's role in cyber security as 'locking the door' and said:

There's no point in having a locked door if you give somebody a key… there's definitely some people who are leaving the lock on the latch.

As a Director of Children's Service, it's important to remain aware of the latest guidance regarding cyber security and consider how this advice impacts on your ability to deliver your services to vulnerable children. The LGA provides regular emails to its members highlighting the current cyber issues. This information is for councils to share regularly with their teams and colleagues to create a positive attitude towards cyber security and encourage staff to ask questions and report potential threats.

Endnotes

[1]https://www.ajg.com/uk/news-and-insights/2022/august/uk-councils-hit-by-10000-cyber-attacks

[3]Cyber and information security (nao.org.uk)

[6]DFE stat guidance template (publishing.service.gov.uk)

[7]Vulnerability management - NCSC.GOV.UK

[9]2022 cyber security incentives and regulation review - GOV.UK (www.gov.uk)

[10] Adapted from: Ciaran Martin, 2020. 'Cyber Attacks: What actual harm do they do?' RUSI.

[11]Phishing attacks: defending your organisation - NCSC.GOV.UK

[14] There is a distinction between data and information; information is data with context applied that allows us to derive meaning from it, e.g. a database of children in care will include data such as names, address, date of birth. When you combine the data, you get information about the children receiving care.